Our Umbraco website is architected such that there are 2 instances; a public website without the Umbraco backoffice UI, and an Umbraco backoffice authoring website behind a firewall (so that it’s not publically accessible). This is achieved with Octopus deployment to tailor the artifacts needed for each instance (Umbraco and Umbraco_Client folders, or not), and also we set the instance role in code to either AuthoringServerRegistrar or PublicReadOnlyServerRegistrar as per “flexible load balancing” https://our.umbraco.org/documentation/Getting-Started/Setup/Server-Setup/load-balancing/flexible-advanced

A security audit has identified the Umbraco endpoints are still accessible on the public instance. i.e. '/umbraco/backoffice/' and /umbraco/backoffice/UmbracoApi/Authentication/PostLogin

My question is does this mean there is a vulnerability here that would allow a malicious user to perform backoffice functionality (if they had credentials)? Is there a way to ‘disable’ the Umbraco url endpoints on the public instance? (or another strategy to achieve the goal of preventing the publishing functionality being available via the public website)

Thanks

Andrew